CVE-2026-33311

| EUVD-2026-14182 MEDIUM
2026-03-19 https://github.com/dicebear/dicebear GHSA-37g4-qqqv-7m99 GHSA-47cr-f226-r4pq GHSA-7r28-6j42-p3gg GHSA-mr3j-p26x-72x4 GHSA-mr9r-mww3-v6gv GHSA-q485-cg9q-xq2r GHSA-vq4q-79hh-q767 GHSA-w5ff-2mjc-4phc
4.7
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 19, 2026 - 18:00 euvd
EUVD-2026-14182
Analysis Generated
Mar 19, 2026 - 18:00 vuln.today
CVE Published
Mar 19, 2026 - 17:49 nvd
MEDIUM 4.7

Tags

XSS

Description

## Summary SVG attribute values derived from user-supplied options (`backgroundColor`, `fontFamily`, `textColor`) were not XML-escaped before interpolation into SVG output. This could allow Cross-Site Scripting (XSS) when applications pass untrusted input to `createAvatar()` and serve the resulting SVG inline or with `Content-Type: image/svg+xml`. ## Affected packages - **`@dicebear/core`** - `backgroundColor` option values interpolated into SVG attributes without escaping (affects `solid` and `gradientLinear` background types) - **`@dicebear/initials`** - `fontFamily` and `textColor` option values interpolated into SVG attributes without escaping ## Fix All affected SVG attribute values are now properly escaped using XML entity encoding. Users should upgrade to the listed patched versions. ## Mitigating factors - Applications that validate input against the library's JSON Schema before passing it to `createAvatar()` are not affected - The DiceBear CLI validates input via AJV and was not vulnerable - Exploitation requires that an application passes untrusted, unvalidated external input directly as option values

Analysis

DiceBear avatar generation libraries (@dicebear/core and @dicebear/initials) are vulnerable to stored XSS through unescaped SVG attributes when user-supplied options like backgroundColor, fontFamily, and textColor are directly interpolated into SVG output. Attackers can inject malicious JavaScript that executes when the resulting SVG is rendered inline or served with SVG content-type, affecting any application that passes untrusted input to the createAvatar() function. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

26
Low Medium High Critical
KEV: 0
EPSS: +3.0
CVSS: +24
POC: 0

Share

CVE-2026-33311 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy